Flexible Information-Flow Control
Doctoral thesis, 2018
becomes an increasingly important concern. This thesis presents work on ensuring
that information processed by computing systems is not disclosed to third
parties without the user's permission; i.e. to prevent unwanted flows of
information. While this problem is widely studied, proposed rigorous
information-flow control approaches that enforce strong security
properties like noninterference have yet to see widespread practical use.
Conversely, lightweight techniques such as taint tracking are more prevalent in
practice, but lack formal underpinnings, making it unclear what guarantees they
provide.
This thesis aims to shrink the gap between heavyweight information-flow control
approaches that have been proven sound and lightweight practical techniques
without formal guarantees such as taint tracking. This thesis attempts to
reconcile these areas by (a) providing formal foundations to taint tracking
approaches, (b) extending information-flow control techniques to more realistic
languages and settings, and (c) exploring security policies and mechanisms that
fall in between information-flow control and taint tracking and investigating what
trade-offs they incur.
software security
information-flow control
program verification
language-based security
Author
Daniel Schoepe
Chalmers, Computer Science and Engineering (Chalmers), Information Security
Explicit Secrecy: A Policy for Taint Tracking
1st IEEE European Symposium on Security and Privacy (Euro S&P), Saarbruecken, Germany, Mar 21-24, 2016,;(2016)p. 15-30
Paper in proceeding
Let’s face it: Faceted values for taint tracking
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),;Vol. 9878 LNCS, 2016(2016)p. 561-580
Paper in proceeding
Daniel Schoepe, Toby Murray, Andrei Sabelfeld - Veronica: Verified Concurrent Information-Flow Control Unleashed
JSLINQ: Building secure applications across tiers
6th ACM Conference on Data and Application Security and Privacy, CODASPY 2016; New Orleans; United States; 9 March 2016 through 11 March 2016,;(2016)p. 307-318
Paper in proceeding
Marco Guarnieri, Daniel Schoepe, Musard Balliu, David Basin, Andrei Sabelfeld - Information-Flow Control for Database-Backed Applications
Understanding and Enforcing Opacity
28th IEEE Computer Security Foundations Symposium, CSF 2015, Verona, Italy, 13 July-17 July,;Vol. 2015-September(2015)p. 539-553
Paper in proceeding
We are family: Relating information-flow trackers
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),;Vol. 10492 LNCS(2017)p. 124-145
Paper in proceeding
Cristian-Alexandru Staicu, Daniel Schoepe, Musard Balliu, Michael Pradel, Andrei Sabelfeld - An Empirical Study of Information Flows in Real-World JavaScript
Software plays an increasingly important role in society and few areas of modern
life are unaffected by code: It influences how we communicate with others, how
we consume news, what we read, and how we access and share information, and even
how we elect our officials, among many other aspects. As a result, software has
access to more and more sensitive information about us, and how that information
is handled is becoming more and more crucial. If private information is leaked,
it may affect our finances, our relationships, and even our democracy. For
journalists and dissidents, even their lives sometimes depend on software
keeping their secrets safe.
However, even for experts, it is very hard to find out if an application will
properly protect sensitive data it has access to. This thesis explores ways to
ensure information is not leaked by applying mathematical reasoning to the code
running on our devices. For example, when installing an Android application, a
user can either allow or deny the application to access private information, but
after access has been granted, the user does not know if the application will
then send this information out over the internet. Using mathematical reasoning
to analyze software, we can control how an application accesses information and
make sure it is not leaked.
Programming Language-Based Security To Rescue (PROSECUTOR)
European Commission (EC) (EC/FP7/307544), 2013-01-01 -- 2017-12-31.
AppFlow: Putting Information Flow Control to Work
Swedish Research Council (VR) (2014-6222), 2015-01-01 -- 2018-12-31.
Subject Categories
Computer Science
ISBN
978-91-7597-832-1
Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 4513
Publisher
Chalmers
ED, EDIT building, Rännvägen 6, Chalmers
Opponent: Alexander Pretschner, Technical University Munich, Germany